BLACK HAT - Researchers: Rush to Ajax a security threat

Software developers using Asynchronous Javascript and XML (AJAX) techniques to jazz up corporate Web sites are failing to pay attention to some very fundamental security issues, security researchers warned at the Black Hat USA conference in Las Vegas on Wednesday.

As a result, many companies that have rushed to AJAX-enable their sites may be dangerously vulnerable to a variety of Web-based threats of which they're not even aware.

AJAX is an increasingly popular programming technique that allows Web designers to make their Web sites more responsive to user input compared to traditional pages. Google, Yahoo and many other sites have embraced AJAX, which enables new content to be added to a Web page in response to user input without needing the entire page to be reloaded.

AJAX allows the browser to fetch small amounts of data from the Web server from which the content is loaded, using Javascript and XML technologies. The approach is considered more efficient than having an entire Web page reload every time content needs to be refreshed. But if care is not taken to control the manner in which the browser accesses the server data, all sorts of security issues can arise, says Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics.

Among the biggest of these threats, says Hoffman, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program's functions are executed, Hoffman said in an interview with Computerworld.

The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters, or deleting certain program calls entirely. AJAX environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.

"Any secrets stored in JavaScript, whether secret data like discount codes or database connection strings, or secret functionality like backdoor administrative access, will be found and exploited," Hoffman said in a whitepaper he co-authored with Bryan Sullivan, development manager at SPI. "This is a far easier mistake to make in an AJAX application than in a traditional Web application because the client plays a larger role in data processing, presentation and possibly storage," they wrote.

To illustrate the threat, Hoffman and Sullivan demonstrated a series of attacks against a fictitious AJAX-enabled travel reservation site at a Black Hat presentation. The AJAX functionality in the site was completely built using tools and information sources that are commonly used by most AJAX developers today.

Hoffman and Sullivan showed how it was possible via the client browser to change the flow of the reservation program so that it would be possible for an attacker to book a ticket and not pay for it, or pay less than the quoted price for it.

The fundamental mistake that many AJAX developers make is to assume that code available on the client side will be treated in the same manner as server-side code, Sullivan said, speaking with Computerworld after the presentation. He says that such developers fail to realize is that when code that was originally intended to run on a server behind the firewall is presented on a client browser, it becomes possible to manipulate and change that code.

"When you publicly expose server methods for your Ajax applications, you are essentially creating an API for anyone to call," the two researchers wrote in their white paper. As a result care should be taken to expose only the required server-side methods, they said, adding that tt also becomes vital to validate all user input for correct format and length to mitigate threats.

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.

Contact Us

With over 25 years of brand awareness and credibility, Good Gear Guide (formerly PC World Australia), consistently delivers editorial excellence through award-winning content and trusted product reviews.